ProBackend
oauth supply chain breaches
2 hours ago6 min read

OAuth Token Abuse in Klue Integration Led to Salesforce CRM Data Theft by Icarus Group

Attackers exploited a legacy Klue integration credential to generate OAuth tokens, then used Python scripts to extract CRM data from customer Salesforce instances over 24 hours, targeting cybersecurity firms including Huntress and Tanium.

The Credential That Shouldn’t Have Been Left On

It wasn’t a zero-day. It wasn’t a phishing email. It was a forgotten password.

Klue’s engineers had built a prototype integration back in 2023—just a quick script to pull Salesforce leads into their AI dashboard. They tested it. It worked. Then they moved on. The credential? Left active. No rotation. No monitoring. No one even remembered it existed.

Until June 12, 2026.

That’s when the first anomalous token refresh hit their logs. Not from a user. Not from an employee. From a service account that hadn’t logged in since the last company picnic.

The attacker didn’t break in. They just walked through the back door.

And they didn’t stop.

They didn’t need to.

The OAuth token they stole had broad, persistent access to Salesforce REST APIs across Klue’s customer base. No MFA. No session timeout. Just a quiet, unmonitored key to thousands of CRM instances.

They ran Python scripts.

Not fancy ones. Not obfuscated. Just urllib—the same library every intern learns on day one. User-agent: Python-urllib/3.12. Then 3.14. Simple. Clean. Invisible.

For 24 hours, they pulled data. Slow at first. A few hundred queries an hour. Then, in one 15-minute burst, nearly a thousand. A flood. Not chaotic. Calculated.

One victim, Huntress, confirmed the theft: business contacts, sales notes, pricing tiers, opportunity pipelines. All gone. Not from their internal systems. Not from their servers. From their Salesforce, accessed through Klue’s forgotten key.

And here’s the real kicker: Klue didn’t even store the data themselves. Their platform was untouched. The breach was entirely in the integration layer. A supply chain attack not by malware, but by neglect.

This isn’t a hack. It’s a habit.

We’ve all done it. Left a dev key running. Forgot to revoke a test app. Assumed "it’s just internal." But in 2026, "internal" doesn’t mean safe. It means target.

And the attackers? They knew it.

They didn’t need to be geniuses. They just needed to be patient.

And we? We need to stop pretending that service accounts are any less dangerous than human ones.

They’re not.

They’re worse.

Because no one’s watching them.

The Credential That Shouldn’t Have Been Left On

The IP Addresses That Didn’t Care Who You Were

The attacker didn’t hide. Not really.

ReliaQuest’s GreyMatter Transit flagged traffic from four IPs:

  • 138.226.246[.]94 — linked to spam campaigns since 2024
  • 212.86.125[.]24 — Netherlands-based data center
  • 213.111.148[.]90 — French hosting provider
  • 94.154.32[.]160 — Ukraine

No Tor. No proxies. No obfuscation.

Just clean, direct, public-facing servers.

Why?

Because they didn’t need to.

The API calls looked legitimate. The OAuth token was valid. The user-agent was standard. The query volume? Normal for a data sync.

Until it wasn’t.

GreyMatter didn’t catch a malicious payload. It caught a pattern: a single service account, over 24 hours, shifting from slow, steady polling to a sudden, intense burst. That’s the tell. Not the IP. Not the script. The behavior.

And that’s the lesson.

We spend millions on endpoint detection, firewalls, EDRs. But the most dangerous attacks don’t come from malware. They come from abuse of trust.

This wasn’t a breach of Klue’s network. It was a breach of their assumptions.

They assumed:

  • Service accounts are safe because they’re "internal."
  • OAuth tokens are secure because they’re "long-lived."
  • API access is fine because it’s "automated."

None of those are true.

And the attacker knew it.

They didn’t need to crack anything. They just needed to wait for someone to forget.

The IPs? Just endpoints. The real vulnerability was in the process.

And guess what?

It’s still there.

In your company. In your vendor’s. In every integration that says "it’s just for reporting."

It’s not.

It’s a backdoor.

And someone’s already looking for it.

The IP Addresses That Didn’t Care Who You Were

Huntress, Tanium, and the Quiet Fallout

The victims weren’t random.

Huntress. Tanium. Recorded Future. Snyk. OneTrust. HackerOne.

All cybersecurity firms.

Not a coincidence.

The attackers didn’t go after banks. Or hospitals. Or retail chains.

They went after the people who defend them.

Why?

Because in cybersecurity, your CRM isn’t just a list of contacts.

It’s your playbook.

Sales notes. Pricing tiers. competitor intelligence. Pipeline forecasts. Contract renewal dates. Client pain points.

This wasn’t just data theft.

It was intelligence gathering.

Huntress confirmed the attackers sent extortion emails using an Australian company’s email server—valid SPF, valid DMARC. They didn’t spoof. They hijacked.

That’s next-level.

They didn’t just steal your data.

They stole your reputation.

And they did it without touching a single server inside your network.

The worst part?

Most of these companies had better security than Klue.

But none of them could stop an attack that started outside their perimeter.

This isn’t about your firewall.

It’s about your vendor’s.

And if you’re still trusting third-party integrations without monitoring their API behavior? You’re already compromised.

The attackers didn’t need to infiltrate Huntress.

They just needed to infiltrate Klue.

And Klue? They didn’t even know they were a target.

Until it was too late.

This isn’t a supply chain attack.

It’s a trust chain attack.

And we’re all still holding the chain.

The Detection That Shouldn’t Have Been a Miracle

GreyMatter Transit didn’t catch a virus.

It didn’t see a malware signature.

It didn’t even need to touch an endpoint.

It just watched the network.

And saw three things:

  1. An OAuth token refresh from a service account that hadn’t logged in for 18 months.
  2. A sustained, low-volume spike in Salesforce REST API calls over 24 hours.
  3. A sudden, unnatural burst of 987 queries in 15 minutes.

That’s it.

No telemetry. No agents. No cloud logs.

Just network traffic.

And it flagged it as a single intrusion.

That’s the future.

Not AI that predicts. Not EDR that hunts.

Just visibility.

We’ve spent a decade building layers of detection.

But the simplest layer—seeing what’s actually happening on the wire—is the one we ignore.

Why?

Because it’s hard.

Because it costs money.

Because we think we’re protected by firewalls and MFA.

We’re not.

MFA doesn’t protect service accounts.

Firewalls don’t stop API abuse.

And if you’re not monitoring your integrations like they’re critical infrastructure? You’re just waiting for your turn.

GreyMatter didn’t save Huntress.

It just showed them what happened.

The rest? That’s on them.

And on you.

Because the next time?

It won’t be Klue.

It’ll be your vendor.

And your CRM.

And your sales team.

And you won’t even know until the extortion email hits your inbox.

With your company’s name on it.

And your own email server.

The Real Problem Isn’t the Hack—It’s the Culture

Klue laid off half their staff in June 2025.

They doubled down on AI.

They didn’t hire a CISO.

They didn’t update their integration policy.

They just assumed the machines would keep things running.

And they did.

Until they didn’t.

This isn’t a technical failure.

It’s a cultural one.

We treat service accounts like ghosts.

We forget they exist.

We don’t rotate their keys.

We don’t audit their access.

We don’t even know who owns them.

And then we’re shocked when they’re exploited.

It’s like leaving your house keys under the mat and blaming the burglar.

The attacker didn’t break in.

They just picked up the key.

And here’s the truth no one wants to say:

You don’t need better tools.

You need better habits.

Every integration you build? Treat it like a human account.

Rotate the credentials every 90 days.

Monitor the API calls.

Require MFA—even for service accounts.

And when you retire a tool? Revoke the key. Not just delete the code.

Because in 2026, the most dangerous thing in your stack isn’t the zero-day.

It’s the credential you forgot about.

And someone else didn’t.

More blogs